nanog mailing list archives
Re: SSH on the router - was( IT security people sleep well)
From: Henry Linneweh <hrlinneweh () sbcglobal net>
Date: Mon, 7 Jun 2004 08:13:33 -0700 (PDT)
That was well spoken and certainly the smartest move that I have in this entire conversation, thanks. -Henry --- Michael.Dillon () radianz com wrote:
complaining that cisco charges extra for such acritical component isexactly the right thing to do; it is fuckingscary.every damn network device which used to havetelnet should ship withssh, it's free.Why? The typical network architecture of an ISP sees routers located in large clusters in a PoP or on a customer's site directly connected to a PoP. Since it is dead simple to place a 1U Linux box or similar SPARC server in a PoP to act as a secure gateway, why should router vendors encourage laziness and sloppiness? IMHO routers should not have SSH at all and should not accept any packets directed to them unless they are coming from a small set of known addresses on the network operator's management network. Once you open the router to SSH from arbitrary locations on the Internet you also open the router to DDoS from arbitrary locations and to attacks from people with inside info (SSH keys stolen or otherwise). It makes more sense to funnel everything through secure gateways and then use SSH as a second level of security to allow staff to connect to the secure gateways from the Internet. Of course these secure gateways are more than just security proxies; they can also contain diagnostic tools, auditing functions, scripting capability, etc. Now there is nothing fundamentally wrong with ADDING to that type of architecture by enabling SSH between the routers and the security gateways. But I believe that it is fundamentally wrong to consider SSH on the router to be equivalent to opening the router to any staff member, anytime, anywhere on the Internet. There are still possible man in the middle attacks that cannot be protected against by SSH. Consider the case of a staff member lounging in the backyard on a lazy Saturday afternoon with their iBook. They have an 802.11 wireless LAN at home so they telnet to their Linux box in the kitchen and run SSH to the router. Ooops! The only way to protect against that sort of situation is to encourage everyone to be security-minded and not take risks where the network is concerned. Funneling all access to routers through a secure gateway is part of that security-mindedness and is just plain good practice. --Michael Dillon
Current thread:
- Re: IT security people sleep well, (continued)
- Re: IT security people sleep well John Kinsella (Jun 03)
- Re: IT security people sleep well Joel Jaeggli (Jun 04)
- Site elimination service -:) - I received offer by 's'p'a'm' Alexei Roudnev (Jun 03)
- Re: IT security people sleep well Paul Jakma (Jun 05)
- Re: IT security people sleep well Mike Lewinski (Jun 05)
- Re: IT security people sleep well Paul Jakma (Jun 05)
- Re: IT security people sleep well Henning Brauer (Jun 06)
- Re: IT security people sleep well Paul Jakma (Jun 06)
- SSH on the router - was( IT security people sleep well) Michael . Dillon (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Rubens Kuhl Jr. (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Henry Linneweh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Henning Brauer (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Edward B. Dreger (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Michael . Dillon (Jun 08)
- Re: SSH on the router - was( IT security people sleep well) Alexei Roudnev (Jun 08)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Randy Bush (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Valdis . Kletnieks (Jun 07)
- Re: SSH on the router - was( IT security people sleep well) Alex Bligh (Jun 07)